Manual Chapter : Filter DNS traffic with a DNS security profile

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

Filter DNS traffic with a DNS security profile

The BIG-IP system can allow or drop packets of specific DNS query types, or with specific opcodes, to prevent attacks or allow legitimate DNS traffic. You can use this to filter out header opcodes or query types that are not necessary on your system, or to respond to suspicious increases in packets of a certain type, as identified with the DNS security profile.
In this task, you create a DNS security profile and configure DNS security settings at the same time. However, you can also configure settings in a DNS security profile that already exists.
  1. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    DNS
    .
    The DNS Security Profiles list screen opens.
  2. Click
    Create
    .
    The New Protection Profile screen opens.
  3. In the
    Name
    field, type the name for the profile.
  4. From the
    Query Type
    list, select how to handle query types you add to the
    Active
    list.
    • Select
      Inclusion
      to allow packets with the DNS query types and header opcodes you add to the
      Active
      list, and drop all others.
    • Select
      Exclusion
      to deny packets with the DNS query types and header opcodes you add to the
      Active
      list, and allow all others.
  5. In the
    Query Type Filter
    setting, move query types to filter for inclusion or exclusion from the
    Available
    list to the
    Active
    list.
  6. In the
    Header Opcode Exclusion
    setting, move header types to filter for exclusion from the
    Available
    list to the
    Active
    list.
    Only the
    query
    opcode is available for header exclusion.
  7. Click
    Finished
    to save your changes.
Now you have configured the profile to include or exclude only specified DNS query types and header opcodes.
Specify this DNS security profile in a local traffic DNS profile attached to a protected object.